How to identify and define a struct in IDA pro Decompiling during reverse engineering? Please explain the easiest way to figure out the struct in IDA Pro decompilation! To make life easier are there any IDA Pro scripts to automate this task?
1 Answer
How-to
To define a valuable structure you need to find its length and memory layout first. If you're researching a C++ binary, this is easiest done by finding the constructor(s) of the structure or its parent and then following all usage of the data across the binary.
Static analysis
To define a new structure type, open Local Types or Structures view and press Insert to add the structure definition.
You can also create them from pseudocode view by right-clicking the desired variable name and choosing Create new struct type or apply an existing type with Convert to struct *.
This could be automated using ida_struct and/or ida_typeinf modules.
Debugging
I don't think IDA has any utilities to help you identify or create structures at runtime, but there exist 3rd party tools such as ReClassEx designed to help with raw memory dump structuring if you need it.
